Informational Risk Management Implementation for ISO 9001:2015

Crusader

Trusted Information Resource
Thanks for chiming in above! We wrote new/revised old procedures and included the RBT in all except a couple. But since we just implemented it within the last 2 - 3 months, I wonder how we will do in the Stage 1....we'll all find out very soon (Monday 17th). I wasn't even sure how to audit it since it is so new. Everything written is what we do since it's newly written in text and not tribal knowledge. It's like everyone says, we've all been doing it but not realizing it and it was never outlined/written down until now.

:popcorn:

HA! I am quoting myself! Now that a few months have flown by and I have had a chance to see how the system works....NOT. FYI - Putting the RBT in procedures is a waste. No one looks at procedures. In addition, I also have all of those RBT's in a Register thingy in excel. Double effort here. Which has proved to fail because if I want to update a risk, I have to update the darn-tootin' procedure too. UGH.
I am going to revise the procedures to eliminate the RBT. Maybe I will add a reference to the Register-thingy in the procedures instead? Maybe not? I will end up just having an external register-thingy in Excel. Which can be printed and posted in each department.

Now, for the chore of revising 18 procedures....:bonk:

comments, suggestions......:bigwave:
 

Crusader

Trusted Information Resource
Jen,

We're a small machine job shop. Very streamlined on our procedures and transitioning to 2015 from 2008. You talked about documented procedures for process controls. We have none of these and no work instructions. Instead, we work strictly off our work order/production traveler and the drawing for the job. Do you think this will this satisfy the auditor?

The work order/traveler determines when the product goes to the lather or milling areas and the CNC program runs in each area. First Article and in-process inspections are performed to monitor processes and whether we are meeting customer requirements. There is a big emphasis on aiming for the nominal dimension and not just staying within tolerance. Communication between QC (at First Article Inspection) and the operators is excellent so operators know what adjustments to the CNC program is required to achieve nominal dimensions. Do you think we still need to have documented procedures to maintain process control?

Holy cow! Yes, it will work-passed, certified, and registered to ISO 9001:2015. You just described where I work! Wait, who are you? Do you work here? LOL! :lol: Let me help...just PM me offline here for anything more specific.
 

Marc

Fully vaccinated are you?
Leader
The article essentially says: "You're already doing it, you just haven't recognized it as such." More people should recognize that fact.

"Risk Based Thinking" isn't new, any more than the "Process Approach" was when the 2000 version came out and people made a big deal about it. Same for, as the author points out, "Continual Improvement". John J. Guzik wrote:
If you were around for the release of ISO 9001:2000, you may remember the introduction of what was at that time a new topic called continual improvement. This caused many people to go off and create continual improvement programs as new tools in their QMSs.

Eventually, people saw how continual improvement could be demonstrated through areas listed in subclause 8.5.1: quality policy, quality objectives, audit results, analysis of data, corrective action, preventive action and management review.
In the many implementations of standards I did over the years, particularly with ISO 9001, the majority of it was going through the standard(s) and showing them that "You're already doing that. You comply with <ISO 9001 clause X> here in your system. Now, be ready to explain it to the auditor."

The key to implementations was teaching someone in a company what the standard was really asking/requiring, and as I have said before the most common "you don't do that" was internal audits. Typically my client companies were already doing everything (or very close to) the standard required.
 

Jethead

Registered
Was wondering how other organizations document the risk and the actions taken to meet the ISO 9001-2015 Section 6.1.2. We use a SWOT for our overall business model and use a custom FMEA template for the major processes. Auditor indicated that a number of companies place the Risk item and the evaluation for effectiveness on their Turtle diagram. Any examples would be great
 

AndyN

Moved On
Was wondering how other organizations document the risk and the actions taken to meet the ISO 9001-2015 Section 6.1.2. We use a SWOT for our overall business model and use a custom FMEA template for the major processes. Auditor indicated that a number of companies place the Risk item and the evaluation for effectiveness on their Turtle diagram. Any examples would be great

I've had much success with using management review for nearly all of the section 4 requirements. I wouldn't listen to any CB auditor who mentions risk and turtles in the same breath. That's not what ISO 9001:2015 is looking for you to do. Plus they are brining mission creep from other schemes which think the answer to everything is a turtle. SWOT is good. FMEA is OK, but it takes a lot of work and input - and did you then create a control plan to manage the RPNs?
 

AMIT BALLAL

Super Moderator
I agree with Andy that issues and risks should be discussed as part of Management review. Too much documentation just to satisfy the requirement of clause / an auditor is wrong. But people need to know the risks considered and actions that are supposed to be taken, otherwise no one would follow them. In such case, documentation of these risks and actions will help.
Again, SWOT and PESTLE are easy to use tools and are effective. I am not a big fan of FMEA in such case. Although I've prepared a format of FMEA for risk analysis, it will be time consuming and is difficult to use. And when system is difficult to follow, it will fall apart.
Please note, process level risk analysis is not asked by the standard. Risks based on context has to be identified and addressed in processes.
Still attaching examples of FMEA, Turtle chart here for reference.
.
 

Attachments

  • FMEA format.xlsx
    63.4 KB · Views: 715
  • Turtle chart.xlsx
    54.2 KB · Views: 768

fcabellorivera

Registered
In my opinion this is a very interesting point of this standard ISO 9001:2015...each company shall to analyze it´s processes and determine if FMEA is the right tool in order to satisfy this clause of the standard...if FMEA is not the right tool we have a lot of tools more available....Is very important to kkep in mynd that each organization is unique.
 

qualprod

Trusted Information Resource
Crusader

Im with you relating to risk approaching.

I created a procedure and a format to manage risks.
In the procedure , explained my method to rank risks by using Risk value = PxI (probability x impact), p and I value start with 1 thru 5.
but these values are gotten from an approximate idea of responsible of the risk, that
in most of the times, is not precise nor an exact value.
When I got the risk value , I assign them a type (A;B;c,D) according to the value, and according the type, a timeframe is given to apply mitigation plans.
Additionaly, every risk is analyzed by using an ishikawa format to determine the causes
for which risk is present.

Finally I think , Im over thinking this issue, and dont know what to do.

My idea was to implement something (procedures, formats) more seriously and obviously to be of benefit for the people.

But, really I find my effort is not adequate and nor effective.

Im thinking seriously to adapt it a very simple way.

Just what the standards is requiring.

To address risk and opportunities.
to do a scan of risk, and according to the risk, to apply mitigation plans, without ranking the severity of the risk, something very easy to manage, but I dont see the light as how to do it..

Any Ideas?
My business has few processes and is not risky.
Thanks

Any ideas
 

AndyN

Moved On
I agree that you are overthinking this and making the whole approach too complex. The standard ISN'T about RBT in the way you describe... I suggest you go back to the "Context of the Organization" see what that says, then relate it to section 6 on Planning.
 
Top Bottom